What are the most effective PDF evasion techniques?
58 views
Skip to first unread message
Rick K. M.
Oct 22, 2012, 3:02:02 PM10/22/12
to origa...@googlegroups.com
Hi all
First of all sorry to send too many e-mail in sequence.
We have tons of PDF exploits available on the internet, however most of them are detected by most antivirus since they are public. I noticed that detection is not based on shellcode, but on the vulnerability trigger itself. In your opinion, what are the most effective ways to bypass these detection systems? Encryption? Compression? Embeds one PDF inside the other, Sign a PDF or what?
All input is very welcome.
Also, if anyone have a study about it I would love to read.
Thanks
First of all sorry to send too many e-mail in sequence.
We have tons of PDF exploits available on the internet, however most of them are detected by most antivirus since they are public. I noticed that detection is not based on shellcode, but on the vulnerability trigger itself. In your opinion, what are the most effective ways to bypass these detection systems? Encryption? Compression? Embeds one PDF inside the other, Sign a PDF or what?
All input is very welcome.
Also, if anyone have a study about it I would love to read.
Thanks
jena peoples
Oct 22, 2012, 3:04:07 PM10/22/12
to origa...@googlegroups.com
I think you have to first specify what triggers the AV set off. If you could use the pdf parser in determining whether or not you've successfully hid your exploits that may be a last step. So the first and last step for you! Haha
Rick K. M.
Oct 22, 2012, 3:11:29 PM10/22/12
to origa...@googlegroups.com
Hi Jena
I guess that should exist some kind of generic methods independent of the vulnerability being triggered, not? I mean, something similar to what hackers have being doing with executable, they use encoding, packers, binders, etc and bypass most AVs.
I'm more interested in generic approaches that could be used against different PDF exploits.
All opinions are very welcome.
Thanks.
I guess that should exist some kind of generic methods independent of the vulnerability being triggered, not? I mean, something similar to what hackers have being doing with executable, they use encoding, packers, binders, etc and bypass most AVs.
I'm more interested in generic approaches that could be used against different PDF exploits.
All opinions are very welcome.
Thanks.
Guillaume Delugré
Oct 24, 2012, 9:06:11 AM10/24/12
to origa...@googlegroups.com
Hello Rick,
you can read this blogpost as a starter : http://esec-lab.sogeti.com/post/2010/09/01/An-approach-to-PDF-shielding
I wrote it quite a long ago but I think some ideas are still applicable. One thing about the PDF is that the format is very rich and tedious to implement completely. As a result, a lot of AV softwares just implement a subset of the PDF, and they can go wrong or abort their analysis when they encounter a feature they didn't expect.
For instance, Adobe Reader X introduced a new password derivation algorithm for the encryption of documents. The thing is not part of the PDF specifications at the moment and I doubt a lot of AV are capable of decrypting documents with this method.
Regards,
Guillaume
jena peoples
Oct 24, 2012, 4:18:26 PM10/24/12
to origa...@googlegroups.com
Guillaume,
Are you planning on speaking at any cons in the near future?
Philippe Lagadec
Oct 24, 2012, 4:22:35 PM10/24/12
to origa...@googlegroups.com
Hi,
I also collected quite a lot of information (since 2000) about PDF security and obfuscation techniques here:
http://www.decalage.info/en/file_formats_security/pdf
I think it's quite hard nowadays (with Adobe Reader X) to create a PDF which will execute anything useful.
The main tricks used in the past few years are now blocked, and the sandbox makes exploitation very difficult.
Good luck :-)
Philippe.
I also collected quite a lot of information (since 2000) about PDF security and obfuscation techniques here:
http://www.decalage.info/en/file_formats_security/pdf
I think it's quite hard nowadays (with Adobe Reader X) to create a PDF which will execute anything useful.
The main tricks used in the past few years are now blocked, and the sandbox makes exploitation very difficult.
Good luck :-)
Philippe.
Richard Miles
Oct 24, 2012, 6:40:17 PM10/24/12
to origa...@googlegroups.com
Guillaume,
Thanks for answer, the links are very nice.
BTW, do you know what happen that there is no public working exploit affecting Adobe Acrobat Reader version >= 10? Is Adobe Acrobat Reader being impossible to exploit?
Thanks.
Thanks for answer, the links are very nice.
BTW, do you know what happen that there is no public working exploit affecting Adobe Acrobat Reader version >= 10? Is Adobe Acrobat Reader being impossible to exploit?
Thanks.
Richard Miles
Oct 24, 2012, 6:42:29 PM10/24/12
to origa...@googlegroups.com
Philippe,
Thanks, this is a great collection.
So overflows are not practical anymore against Adobe Acrobat Reader?
I just see DOS POCs for Adobe Acrobat Reader version => 10.X
http://www.exploit-db.com/exploits/22155/
http://www.exploit-db.com/exploits/17473/
The only one that claims to be able to version 10.1.1 is not working because there is just offset for version 9.X.
Thanks.
Reply all
Reply to author
Forward
0 new messages